Lock user in home [solved]

Reply to Lock user in home [solved] on Wed, 02 May 2012 21:08:18 GMT

cmb — Wed, 02 May 2012 21:08:18 GMT

There is an option with wget without using scp.
http://doc.pfsense.org/index.php/Remote_Config_Backup

Afaik, there is a backup package that does exactly that. It needs a subscription however, but I would assume that it is safe.
A lot of companies (like mine) probably would have a problem though having their firewall configs backed up in a cloud

It encrypts the config before uploading, so we strictly store encrypted blobs, we have no readable configs. It's as safe as your encryption key is strong, plus requiring another account just to get to your encrypted configs.

Reply to Lock user in home [solved] on Wed, 02 May 2012 19:18:23 GMT

namezero111111 — Wed, 02 May 2012 19:18:23 GMT

Afaik, there is a backup package that does exactly that. It needs a subscription however, but I would assume that it is safe.
A lot of companies (like mine) probably would have a problem though having their firewall configs backed up in a cloud, but for SMB or home users this might be viable.
I don't know the pricing though.

Reply to Lock user in home [solved] on Wed, 02 May 2012 19:07:11 GMT

dhatz — Wed, 02 May 2012 19:07:11 GMT

IMHO a safe way to automatically backup config.xml would be an useful feature in the base pfsense install.

Reply to Lock user in home [solved] on Wed, 02 May 2012 18:53:55 GMT

namezero111111 — Wed, 02 May 2012 18:53:55 GMT

Yes, of course it is. The only reason I was making sure it was a good idea was should the server for example collect configs from 20 machines and be compromised, I wouldn't want anyone to be able to do much with the credentials on the pfsense machine.

Thanks again!

Reply to Lock user in home [solved] on Wed, 02 May 2012 17:35:53 GMT

cmb — Wed, 02 May 2012 17:35:53 GMT

ah, that's much more reasonable. I expected you were using the firewall like a file server or something, that could potentially pose issues with untrusted users. But doing so for just a backup account, which I presume will run from a secure server, is very low risk with the changes you've made there.

Reply to Lock user in home [solved] on Wed, 02 May 2012 15:06:45 GMT

namezero111111 — Wed, 02 May 2012 15:06:45 GMT

Well the reason is that I'd like a backup operator be able to pull a config.xml backup every night, which I could copy to their home directory via cron. Hence that user / service account wouldn't be entirely untrusted, but should not be able to harm the system should anything happen to the account (i.e. they shouldn't be able to modify the configuration).
Would that be unreasonable in your opinion?

As I said, I found the place in /etc/sshd where the /etc/ssh/sshd_config file is generated and added the lines seen in my first entry.
But I assume there is no easier way short of developing a small package for the community to add custom lines to sshd_config, right?

Reply to Lock user in home [solved] on Wed, 02 May 2012 11:20:19 GMT

cmb — Wed, 02 May 2012 11:20:19 GMT

I'd recommend against allowing any users shell access who wouldn't be trusted with more or less full access, even if you're chrooting and forcing sftp (though you should be reasonably safe doing that).

That said, grep /etc/inc/ for sshd_config and you'll find where it's generated and can edit the source.